I am writing to see what the general guidance and posture is on incorporating additional repositories into the build process.
Obviously, Maven Central provides a very known quantity. Are there other repositories that are viewed with the same level of trust? If so, is there a listing? If not, do we vet new sources as they bring libraries that aid our project and how is this accomplished? Incorporating other repos brings up additional areas of concern, specifically availability but also some additional security considerations to the binaries that are being retrieved. Any thoughts on this front would be much appreciated.
